ACM import certificate error - The certificate chain provided is not in a valid PEM format.

0

hi, I'm trying to import a letsencrypt ssl certificate. It is working ok with apache on a EC2 server, but I keep getting errors when importing to ACM. The certificate file which works is actually a bundle with the certificate itself and the chain, so I proceed to extract it:

openssl x509 -in mycert.crt -out chain.pem -outform PEM

This just cuts the first part of the crt file, starting from ----BEGIN CERTIFICATE ---- to ---END CERTIFICATE ---. I paste this on the ACM form.

The key is a few lines base64 encoded enclosed in -----BEGIN EC PRIVATE KEY----- and ---- END EC PRIVATE KEY-----. I paste this as is.

Then the chain I tried a number of things: pasted the two remaining certificates from the original crt file, extracted them from the live site, and a few more I dont remember. Also tried inverting first and second in case they are swapped. No matter what I try always get the no valid PEM format error. The pasted code looks like this:

-----BEGIN CERTIFICATE-----
.....base64 stuff ....
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
.....base64 stuff....
-----END CERTIFICATE-----

Please advice

asked 2 years ago1142 views
1 Answer
0

From

----BEGIN EC PRIVATE KEY-----

You are trying to import a Let's Encrypt ECDSA cert. If I recall correctly, one of the intermediate cert is RSA.

ACM only accept imports when TLS and all intermediate certs are ECDSA. As a workaround, you can import cert into IAM

Alternatively, AWS Certificate Manager now supports Elliptic Curve Digital Signature Algorithm TLS certificates. You can request a Elliptic Curve Digital Signature Algorithm (ECDSA) P-256 or P-384 cert directly from ACM instead of using Let's Encrypt cert.

AWS
EXPERT
MikeLim
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions